Background: The privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. The Department of Health and Human Services (HHS) has issued regulations entitled "Standards for Privacy of Individually Identifiable Health Information" ("Privacy Rules"), applicable to entities covered by HIPAA. The compliance date for most entities covered by the Privacy Rules is April 14, 2003. The primary purpose of the Privacy Rules is to require health plans and providers to maintain administrative and physical safeguards to protect the confidentiality of health information and protect against unauthorized access.
The regulations begin with the premise that "[a] covered entity may not use or disclose protected health information, except as permitted or required by [the regulations]." 45 C.F.R. § 164.502(a). The Privacy Rules, however, permit disclosures in response to an order of a court or administrative tribunal and in response to a subpoena – or in response to a discovery request, or other lawful process. Detailed and specific qualifications to these permitted disclosures are stated. In addition, disclosures are permitted for certain law enforcement and workers' compensation purposes.
Resources:
- Rules and Partial Regulatory History
- 45 CFR § 164.502
Excerpt from the Final Rule. This section sets the general rule of nondisclosure, and cross references section 164.512 for permitted disclosures. This section also
establishes that the "minimum necessary" standard does not apply to uses or disclosures required by law.
- 45 CFR § 164.512
Excerpt from the Final Rule. This section describes uses and disclosures required by law, including judicial and administrative subpoenas, certain law enforcement purposes, and for workers' compensation cases.
- 45 CFR Parts 160 and 164
This link is to an unofficial version of the entire rule prepared by HHS's Office for Civil Rights. The Federal Register version does not consolidate the Final Rule, so until the official version is published in the CFR, this is a good resource for viewing the final text.
- Regulatory History – Excerpt Regarding Employment Records
This exerpt is from the Final Rule. It explains HHS's decision to exclude employment records maintained by a covered entity in its capacity as an employer from the definition of ‘‘protected health information.''
- Regulatory History – Excerpt Regarding Relationship Between "Minimum Necessary" Standard and Workers' Compensation Laws
This excerpt is from the Final Rule. It explains HHS's view of how the "minimum necessary" rule would apply to workers' compensation laws.
See also HHS, Office for Civil Rights, Guidance on OCR HIPAA Privacy: Disclosures for Workers' Compensation Purposes [45 CFR 164.512(l)] (Dec. 3, 2002 revised April 3, 2003)
- Regulatory History - Excerpt Describing Proposed Regulations on Use and Disclosure for Judicial and Administrative Proceedings
This excerpt is from the preamble to the original proposed rule in November 1999. In the original proposal, this section was numbered section 164.510(d), and the rule governing permitted disclosures of this type appears to have
been more restrictive than as it appears in the Final Rule.
- Regulatory History - Excerpt Showing March 2002 Modification to Section Addressing Judicial and Administrative Proceedings
This excerpt is from March 2002 Modifications to the Proposed Rules. Still numbered as section 164.510(d), the rule was changed to provide that a covered entity could use or disclose protected health information under this section "provided that the individual is informed in advance of the use or disclosure...." This language does not appear in the Final Rule.
- Web Sites:
- Federal Register Documents:
- Dept. of Health and Human Services, Office for Civil Rights, Notice of Addresses for Submission of HIPAA Health Information Privacy Complaints, 68 Fed. Reg. 13711-12 (Mar. 20, 2003)
Delegation the Office for Civil Rights (OCR) the authority to receive and investigate complaints as they may relate to the Privacy Rule.
- Dept. of Health and Human Services, Office of the Secretary, Centers for Medicare & Medicaid Services, Final rule: Health Insurance Reform: Security Standards 45 CFR Parts 160, 162, and 164, 68 Fed. Reg. 8334-8381 (Feb. 20, 2003)
Final rule implementing some of the requirements of the Administrative Simplification subtitle of HIPAA. Purpose is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.
- Dept. of Health and Human Services, Office of the Secretary, 45 CFR Parts 160 and 164, Standards for Privacy of Individually Identifiable Health Information; Final Rule, 67 Fed. Reg. 53182-53273 (Aug. 14, 2002)
Final rule implementing the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996.
- Standards for Privacy of Individually Identifiable Health Information; Proposed Rule, Modification
On March 27, 2002, the Secretary of Health and Human Services published proposed modifications to the regulations implementing Section 264 of the Health Insurance Portability and Accountability
Act of 1996 (HIPAA). Office for Civil Rights, HHS, Proposed rule; modification, Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164, 67 Fed. Reg. 14775 (Mar. 27, 2002).
- Standards for Privacy of Individually Identifiable Health Information; Proposed Rule
On November 3, 1999, the Secretary of Health and Human Services promulgated proposed
regulations to implement Section 264 of the Health Insurance Portability and Accountability
Act of 1996 (HIPAA), Public Law 104-191, enacted August 21, 1996.
- Federal Register Notice: Health and Human Services, Proposed Rule, Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 through 164, 64 Fed. Reg. 59917 (Nov. 3, 1999)
HTML |
PDF
Version
| |
|